Final Interpretation for RI # 254 – Applicability of ISO/IEC standards

Date:

04/04/2005

Subject:

Comment from ISO/IEC WG3, CAN&ISSEA

CC Part #1 Reference:

CC Part 1, Annex C, Bibliography

CC Part #2 Reference:

 

CC Part #3 Reference:

 

CEM Reference:

 


Issue:

 

Determine the applicability of provided ISO standards for reference within the CC/CEM.


Specific Changes

 

Add the following reference to Part 1 Annex C Bibliography:

PPRP               ISO/IEC FDIS 15292:2001 Information technology - Security techniques - Protection Profile registration procedures.

 

Rationale

 

The following documents were received from ISO at the 2003 October CCIMB meeting, and have been reviewed for consideration to be referenced:

Closely related standard. To be included in the references.

This CDIF family of standards is primarily designed to be used as a description of a mechanism for transferring information between modelling tools. While the CC does not mandate these mechanisms to be applied, this standard will assist the vendors and users of modelling tools and metadata repositories in developing mechanisms for interchanging information.

 

 

This standard defines a particular framework to cover the life cycle of software from conceptualization of ideas through retirement and consists of processes for acquiring and supplying software products and services. In addition, the framework provides for controlling and improving these processes.

 

While these software life cycle processes can be used while applying the CC, the CC does not mandate such a framework to be applied.

 

 

This standard provides a common process framework covering the life cycle of man-made systems. This life cycle spans the conception of ideas through to the retirement of a system. It provides the processes for acquiring and supplying systems. In addition, this framework provides for the assessment and improvement of the life cycle processes.

 

While these system life cycle processes can be used while applying the CC, the CC does not mandate such a framework to be applied.

This report addresses the adoption practices appropriate for a wide range of computing organizations. Also, this report neither dictates nor advocates particular development standards, software processes, design methods, methodologies, techniques, programming languages, or life-cycle paradigms.

 

While the CC does not mandate specific CASE tools, it does not preclude the adoption of the development tools in accordance with the guidelines defined in this report.

This standard defines both a sequence of processes and a structured set of CASE tool characteristics for use in the technical evaluation and the ultimate selection of a CASE tool.

 

While the CC does not mandate specific CASE tools, it does not preclude the selection of the development tools in accordance with the processes defined in the standard. However, the tool characteristics applied in the selection method does not consider aspects that may be required by the CC (access control, as an example).

The SSE-CMM® is a process reference model. It is focussed upon the requirements for implementing security in a system or series of related systems that are the ITS domain. Within the ITS domain the SSE-CMM® Model is focussed on the processes used to achieve ITS, most specifically on the maturity of those processes.

 

This standard is one of the various approaches to organizational security best practices specification and assessment. This area is currently under active research and development in the CC area, with no results yet available to determine the applicability of this particular reference.

The objective of this Technical Report is to present a variety of assurance methods, and to guide the IT Security Professional in the selection of an appropriate assurance method (or combination of methods) to achieve confidence that a given Deliverable satisfies its stated IT security assurance requirements. This report examines assurance methods and approaches proposed by various types of organisations whether they are approved or de-facto standards.

This report references and compares the assurance methods as applied in the CC with a variety of other assurance methods. However, the whole Technical Report has not been finally published as of November 2004. It is recommended for reference once published.

The purpose of ISO/IEC 13335 is to provide guidance, not solutions, on management aspects of information and communications technology (ICT) security.

 

ISO/IEC 13335 contains guidance on the management of ICT security. Part 1 of ISO/IEC IS 13335 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. The other parts provide operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security.

 

This standard is one of the various approaches to organizational security management. This area is currently under active research and development in the CC area, with no results yet available to determine the applicability of this particular reference.